Vault deployment architecture - best approach

I am trying to implement Vault and I am running through the documentation to find the best deployment approach. In my usecase Vault will be used mainly as a secrets manager and it will be accessed by the applications running on K8S cluster, as well as some other external services as GitLab (I don’t want to store secrets in GitLab directly). I have read that there are a few basic approches:

  • Vault on a separate server (on a VM running as a service, can be configured via Ansible) - this is not the best High Availability solution, as it has to be maintained and checked frequently. Also, Vault Agent Injector server that depends on this external Vault server, needs to be implemented on K8S cluster where other apps are running.
  • Vault on K8S:
  1. Standalone (default): a single Vault server persisting to a volume using the file storage backend
  2. High-Availability (HA): a cluster of Vault servers that use an HA storage backend such as Consul (default)

I have two questions to the above:

  • Is it a good solution to run Vault on the same cluster as other applications? Or should Vault run on a separate dedicated cluster for better security?
  • If I cannot run Vault on the same cluster as other applications, is it better to run Vault on a separate VM directly on the machine, or to configure a cluster with one node manually and run Vault on this machine as multiple pods?

If You have some insights on those deployment strategies or maybe some other ideas, let me know. Thanks in advance!